Technically GDPR could be amended to require compliance notifications to be non-obtrusive and still default to strong privacy protection like disabling non-essential functionality or data collection and processing.
Of course the ad companies rely on the bad and obtrusive pop-up design to annoy users into clicking accept.
Technically GDPR (and other similar regulations) do already require compliance notifications to be non-obtrusive, or at least rejecting consent to be no more difficult than accepting it.
Unfortunately that isn't adequately enforced so everyone gets away with making it a massive pain to reliably opt-out and very easy to accidentally permanently opt-in.
One could set the preferences in their browser once for ever site and maybe add exceptions like in the camera permissions dialog. Make it a simple three choice option, like only necessary (login, shopping basket) cookies, analytics and all, defaulting to necessary only.
That part isn't necessarily related to the human rights (though there is the matter of data being carried off to where-ever is liked, which counts IMO), but a suggestion that they are trying to use a little bit of good news (less pop-ups) to distract from bad news, of which there is a lot ATM:
- Bad decisions wrt handling the Afghanistan situation
- The potential weakening of workplace safety laws (starting with the relaxation of rules for lorry drivers, so they can be worked harder to fill the current gap instead of pay/conditions improving to attract more workers) and other employee protections post brexit
- ...
It is not unlike the tampon tax thing. They made a big deal about those no longer being subject to VAT on “brexit day” when in fact that had been agreed by the EU more than two years earlier and could have been implemented there and then (so women kept paying the extra for that time just so the government could claim a cheap win at the end of that part of the process).
I think the cookie popups "normalized deviance". Since that is something required, maybe even thought of as virtuous, why not pop up two different boxes asking for the user's email address before they've had a chance to read the content?
As opposed to the EU stance, where sharing personal data with US organisations has repeatedly been found in court to violate the data protection rules? That mostly seems to be because US law grants its government security agencies much the same intrusive powers to examine data as most EU governments grant theirs and EU law explicitly allows for in the latter case. There are reasonable discussions to be had about the necessity for such measures and the safeguards and transparency requirements that are appropriate if they are used, but objecting to international data transfers on this basis, as EU courts have repeatedly done, seems a bit hypocritical.
> Data adequacy in this sense means an agreement that the protections in place are similar in two countries, with the idea of ensuring that personal information remains safe. It is a key part of EU regulations and was a minor sticking point in the Brexit negotiations.
I don't understand why cookie popups are a website feature rather than a browser feature. Wouldn't it make far more sense to just have the browser default to disabling cookies, and show a popup if the web page wants to use them? Then it would be simple to say "accept all cookies", or "always deny cookies" rather than having a new popup on each site.
Worth noting that Google would probably do its very best to keep anything like this from coming to fruition with its tight grip on Chrome and web standards. And it’s not in the interest of individual companies to go through with this sense the odds that you just click “deny all cookies now and evermore” are pretty high.
Just a case of perverse incentives and conflicts of interest.
It's also not in the interest of websites to show the cookie popups either, but they do it because they are legally required to do so.
I mean I think regulating it in either place is a bit silly, but if we are going to force users to accept cookies on each site, putting it in the browser is far easier to enforce (since you don't have to go after each site that doesn't do it), and a much better user experience.
If the browser was to just disable the cookies API until the user allowed the site to store data in cookies, it wouldn't be something that the site would be able to ignore.
Because the relevant legislation was crafted by those who fundamentally do not understand how the web (or computers) work. The relevant parts of the GDPR should always have described a protocol where the browser acts as an agent on behalf of the user to declare privacy intent.
The GDPR is already technology neutral. You're thinking of the cookie law, which is different (but often confused with the GDPR). Or perhaps you've been hoodwinked by people who are using annoying consent pop-ups to pretend to adhere to the GDPR (they don't).
The browser could also have a setting for eu (gdpr) mode that would enable the cookie notifications. As there is no way for a website to automatically determine if a user is a eu citizen.
The U.S. has them, not because of data protection in the U.S. but because of EU enforcement. All thos will do is change the legal basis and likely keep the cookies
This is the most important point. The EU is big enough that a large proportion of the world has put the cookie popups in. Whether they have done it right is a matter for a separate argument. The UK changing its laws isn't going to change any of this. The only thing it can do it give the bad consequences - the UK isn't big enough for this change to actually cause any good consequences.
The solution to the problem of loads of web sites making illegal cookie nag-screens isn't to relax the laws so that they can legally steal our data - it is instead to actually prosecute for the nag-screens.
As a potentially interesting data point for those not keeping up with privacy and data processing in the UK, next week (1 September) also marks the time the NHS will opt everyone into sharing their personal health records for "research and planning" purposes by default (this is about the GPDPR, which is obviously not named confusingly similarly to the GDPR).
Details about what this really means, who will get access to the data, and what regulatory or legal consequences they will face if it's abused are disturbingly vague. In theory, there has already been a two-month delay in doing this due to concerns the first time around about a lack of public awareness. I have seen exactly zero further public information campaigning on the subject during the additional time.
Right now, as someone who believes strongly in the importance of personal privacy and restricting the sharing of sensitive personal data, I am more concerned about that imminent development than this one.
For anyone in the UK who is concerned about that, there is still just about time to opt out via NHS Digital's online system. Make sure you also notify your GPs, as it seems there will now be two systems involved and they require separate opt-outs.
(I'm using "UK" here, but if this affects you, please be aware that the rules may differ depending on whether you're in England, Scotland, etc.)
It's difficult to see how the other part (run centrally by NHS Digital based on the GP data) could go ahead without this part in place, so maybe they really did listen to reason and back down until they've got proper measures in place.
That would actually be quite reassuring in connection with today's announcement that we're discussing here. If those in government really have understood that there are some lines that shouldn't be crossed when it comes to privacy and personal data and they really are genuinely interested in getting rid of the excessive red tape that some of the EU rules do impose on anyone working with personal data, this might be a positive story after all.
I don’t know why so many companies implement the cookie banner in such an intentionally obtrusive way. Has there ever been any instance ever of a company being fined because their cookie banner was confined to a small widget with an X in the bottom of the page?
It’s not like framing your “consent screen” in a giant modal is going to make up for the 100 checkboxes behind the “advanced” link that each require a separate HTTP request to disable. Or that after disabling them, you’re lucky if they stay disabled for longer than the page session. And it doesn’t shake the feeling that “disabling” a tracker generates more signal than the tracker itself.
Anyone who implements this at their company is an idiot and an enabler. The profiteering companies encouraging the practice are little better then Outbrain, Disqus or Google AMP – an absolute cancer on the web. Oh, and I bet they’ve got lobbyists too. If you work as a developer at a company building consent modals, you are truly a useful idiot.
They brought on a new guy and the main thing he highlights is pop ups? Also, reading through the article it feels like the "Advancement" will be to not show the pop up but provide a button somewhere to have the user change the defaults which will be allow all cookies. I will be really surprised if it doesn't turn out that way.
I'm actually OK with webpages just sending whatever cookies they like. Though it took me quite a bit of effort to ensure my webbrowser does something sensible with them, which really ought to be a lot easier (and we may be getting there, but permanently storing cookies really ought to be the exception).
I'm slightly worried about all the other stuff they mentioned. Sure less red tape is nice, but it's a fine line between less box-ticking and simply no protection at all.
Implementing GDPR and CCPA is a huge pain for publishers now; here we have a new standard to understand and comply with. Nobody stopped setting cookies, they just added CMP vendors which set their own cookies. I can’t think of a single thing a regulator has done to make the web more private. Browsers and extensions are the beginning and end of what stops tracking and abuse.
So basically "Think of the children!". Their fingers must no longer be exposed to exhaustive clicking of EU-mandated pop-ups...
If eroding, still woefully inadequate, data protection, instead of simply mandating improvements to deliberately broken UIs, is the first thing future "Information Commissioner" intends to do, God Save The Queen's Browsing History!
The problem is that I’m sure the general public will be in favour of removing those banners.
This is like dissolving public education to remove those pesky exams from children’s lives.
If aligns with Tory business interests so taking everything into account I’m sure it will go ahead but the level of dishonesty is surprising.
I’ll be paying attention to anyone calling this out.